General Confidentiality and Utility Metrics for Privacy-Preserving Data Publishing Based on the Permutation Model
This work addresses the need for standardized metrics to evaluate privacy-utility trade-offs in data publishing, which is incremental as it builds on existing models like k-anonymity and differential privacy.
The paper tackles the problem of quantifying data confidentiality and utility in privacy-preserving data publishing by proposing metrics based on the permutation model, distinguishing between anonymity and confidentiality, and applying these metrics to compare trade-offs across various anonymization approaches.
Anonymization for privacy-preserving data publishing, also known as statistical disclosure control (SDC), can be viewed under the lens of the permutation model. According to this model, any SDC method for individual data records is functionally equivalent to a permutation step plus a noise addition step, where the noise added is marginal, in the sense that it does not alter ranks. Here, we propose metrics to quantify the data confidentiality and utility achieved by SDC methods based on the permutation model. We distinguish two privacy notions: in our work, anonymity refers to subjects and hence mainly to protection against record re-identification, whereas confidentiality refers to the protection afforded to attribute values against attribute disclosure. Thus, our confidentiality metrics are useful even if using a privacy model ensuring an anonymity level ex ante. The utility metric is a general-purpose metric that can be conveniently traded off against the confidentiality metrics, because all of them are bounded between 0 and 1. As an application, we compare the utility-confidentiality trade-offs achieved by several anonymization approaches, including privacy models (k-anonymity and $ε$-differential privacy) as well as SDC methods (additive noise, multiplicative noise and synthetic data) used without privacy models.